S
SMFX
Well, it seems like such a simple thing that was actually
nice about NT4, but I can't seem to find a way to do it
with Win2k or Win2k3: Falling back to local DC.
Basically, in NT4, if a member server couldn't contact a
trusted domain it would fall back to its own PDC for
authenticating the user. This was nice for DMZ type
setups because you could have one server (the DMZ PDC) as
a point that could authenticate against the internal
domain.
Now in Win2k, if the member server cannot contact the DC
of the trusted domain, it doesn't try its own PDC but just
assumes the domain is unreachable.
I know its not the best security idea in the world to have
anything authenticate in your DMZ to your internal
systems, but sometimes there are pratical applications esp
for signle-sign-on implementations.
Rather than having to have EVERY web server in the DMZ
have to be able to reach my internal DC (gak!), is there
anyway to make the external member servers authenticate a
foreign user via its own DC?
TIA,
SMFX
nice about NT4, but I can't seem to find a way to do it
with Win2k or Win2k3: Falling back to local DC.
Basically, in NT4, if a member server couldn't contact a
trusted domain it would fall back to its own PDC for
authenticating the user. This was nice for DMZ type
setups because you could have one server (the DMZ PDC) as
a point that could authenticate against the internal
domain.
Now in Win2k, if the member server cannot contact the DC
of the trusted domain, it doesn't try its own PDC but just
assumes the domain is unreachable.
I know its not the best security idea in the world to have
anything authenticate in your DMZ to your internal
systems, but sometimes there are pratical applications esp
for signle-sign-on implementations.
Rather than having to have EVERY web server in the DMZ
have to be able to reach my internal DC (gak!), is there
anyway to make the external member servers authenticate a
foreign user via its own DC?
TIA,
SMFX